Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

track files in /boot in kexec_tree.txt #1262

Merged
merged 8 commits into from
Jan 17, 2023
Merged

track files in /boot in kexec_tree.txt #1262

merged 8 commits into from
Jan 17, 2023

Commits on Jan 14, 2023

  1. initrd: track files in /boot in kexec_tree.txt 

    Fixes linuxboot#1248
    @3hhh
    3hhh committed Jan 14, 2023
    Configuration menu
    Copy the full SHA
    accd9f4 View commit details
    Browse the repository at this point in the history

  2. initrd: fix error message to work with kexec_tree

    @3hhh
    3hhh committed Jan 14, 2023
    Configuration menu
    Copy the full SHA
    60df237 View commit details
    Browse the repository at this point in the history

  3. initrd kexec_tree: fix various escaping issues 

    Attempt to fix the following issues:
1. unescaped file names may let an attacker display arbitrary
   whiptail prompts --> escape, original code by @JonathonHall-Purism
2. whiptail itself allows escape characters such as \n
   --> use an escape character not used by whiptail, i.e. #
3. performance issues caused by diff'ing too early -->
   only generate a diff to display to the user, if an actual issue is
   found
    @3hhh
    3hhh committed Jan 14, 2023
    Configuration menu
    Copy the full SHA
    f52466e View commit details
    Browse the repository at this point in the history

  4. initrd: speed up non-GUI booting 

    by not generating the kexec_tree diff in that case
    @3hhh
    3hhh committed Jan 14, 2023
    Configuration menu
    Copy the full SHA
    e368c3f View commit details
    Browse the repository at this point in the history

  5. initrd: work around a bug in busybox sha256sum 

    busybox sha256sum will create a checksum file for uncommon file names
(e.g. /boot/foo"$\n"bar), but fail to verify that exact file.
https://bugs.busybox.net/show_bug.cgi?id=14226

Thus disallow all files in /boot/ with strange file names at the time of
signing for now. Verifying in the presence of new files with such file
names in /boot/ is no issue for the kexec_tree verification due to the
previously implemented escaping mechanism.
    @3hhh
    3hhh committed Jan 14, 2023
    Configuration menu
    Copy the full SHA
    4ce8f66 View commit details
    Browse the repository at this point in the history

  6. initrd: call assert_signable earlier 

    No need to check for the GPG card first.
    @3hhh
    3hhh committed Jan 14, 2023
    Configuration menu
    Copy the full SHA
    c65d6b9 View commit details
    Browse the repository at this point in the history

  7. initrd: assert_signable: use recovery() instead of die() 

    and display some more information to the user, if
available
    @3hhh
    3hhh committed Jan 14, 2023
    Configuration menu
    Copy the full SHA
    2ae7f53 View commit details
    Browse the repository at this point in the history

  8. initrd: escape_zero: allow some more characters 

    Since it's not supposed to be shell safe, just display safe
inside double quotes, we can allow some more characters.

Also fix the escape character not being escaped.
    @3hhh
    3hhh committed Jan 14, 2023
    Configuration menu
    Copy the full SHA
    d07df1e View commit details
    Browse the repository at this point in the history